一种无监督的数据库用户行为异常检测方法  被引量:11

User Behavior Anomaly Detection for Database Based on Unsupervised Learning

在线阅读下载全文

作  者:李海斌 李琦[1] 汤汝鸣 吴珺 吕志远 裴丹[1] 史俊杰 董旭 房双德 杨一飞 吴烨 LI Hai-bin;LI Qi;TANG Ru-ming;WU Jun;LV Zhi-yuan;PEI Dan;SHI Jun-jie;DONG Xu;FANG Shuang-de;YANG Yi-fei;WU Ye(Department of Computer Science and Technology,Tsinghua University,Beijing 100084,China;Baidu,Beijing 100085,China)

机构地区:[1]清华大学计算机科学与技术系,北京100084 [2]百度公司,北京100085

出  处:《小型微型计算机系统》2018年第11期2464-2472,共9页Journal of Chinese Computer Systems

基  金:国家自然科学基金项目(61472214)资助

摘  要:检测数据库内部合法用户的异常行为,对防范内部攻击和数据泄露具有重要意义,然而面临如下挑战:攻击模式不确定,真实异常样例少,数据集缺少准确标注.人工设定阈值和规则难以有效应对复杂多样的异常.本文提出了一种基于无监督学习的用户行为异常检测方法,通过划定时间窗口统计提取特征,运用核密度估计算法分别从单维度、多维度建模,实现在海量的无标注历史日志中发现简单异常和复杂异常、在新的线上数据中检测异常.真实数据实验表明,该方法能够有效检测出简单异常,实验中检测三种简单异常的平均严格查准率和宽松查准率分别达90%和100%;能够从多维度找出存在攻击嫌疑的复杂异常,实验中成功检测出了一种单维度无法检测出的新的复杂异常.Detecting anomalous behaviors of legal internal users is of great significance for guarding against insider attack and preventing data leakage.However,challenges exist:uncertainty of attack strategies,lack of real anomaly cases and accurately labeled data,etc.Human-defined thresholds and basic rules are not enough for detecting complex and various anomalies.This paper proposes a method for user behavior anomaly detection based on unsupervised learning,aiming to effectively discover both simple and complex anomalies in unlabeled massive history log and detect anomalous behavior in new online data,by applying Kernel Density Estimation to single dimension and multiple dimensions respectively.Experiments on real data show that this method can detect simple anomalies in single dimension with an average strict precision of 90% and relaxed precision of 100%,and successfully discover a hidden complex anomaly in multiple dimensions which can not be detected by single dimension approach.

关 键 词:无监督学习 数据库 用户行为 异常检测 内部数据泄露 

分 类 号:TP309[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象